release v0.9.1: VM verification sweep 22 → 27
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / build (x86_64-static / musl) (push) Waiting to run
release / build (arm64-static / musl) (push) Waiting to run
release / release (push) Blocked by required conditions
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / build (x86_64-static / musl) (push) Waiting to run
release / build (arm64-static / musl) (push) Waiting to run
release / release (push) Blocked by required conditions
Five more CVEs empirically confirmed end-to-end against real Linux VMs:
- CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant)
- CVE-2020-29661 tioscpgrp (Ubuntu 20.04 pinned to 5.4.0-26)
- CVE-2024-26581 nft_pipapo (Ubuntu 22.04 + mainline 5.15.5)
- CVE-2025-32463 sudo_chwoot (Ubuntu 22.04 + sudo 1.9.16p1 from source)
- CVE-2025-6019 udisks_libblockdev (Debian 12 + udisks2 + polkit rule)
Required real plumbing work:
- Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh)
- Two-phase provision in verify.sh (prep → reboot if needed → verify)
fixes silent-fail where new kernel installed but VM never rebooted
- GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks
(kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target)
- Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/)
mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on
Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config
mismatch). Genuinely needs a CentOS 6 / Debian 7 image.
This commit is contained in:
+39
-14
@@ -139,19 +139,6 @@ if ! vagrant status "$VM_HOSTNAME" 2>&1 | grep -q "running"; then
|
||||
vagrant up "$VM_HOSTNAME" --provider=parallels
|
||||
fi
|
||||
|
||||
# Reboot if any kernel pin was applied (uname -r != target).
|
||||
if [[ -n "$KERNEL_PKG" || -n "$MAINLINE" ]]; then
|
||||
current_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
|
||||
target_match="$KERNEL_VER"
|
||||
[[ -n "$MAINLINE" ]] && target_match="$MAINLINE"
|
||||
if [[ "$current_kver" != *"$target_match"* ]]; then
|
||||
echo "[*] current kernel $current_kver != target $target_match; rebooting..."
|
||||
vagrant reload "$VM_HOSTNAME"
|
||||
sleep 5
|
||||
fi
|
||||
fi
|
||||
|
||||
# Run the explain probe.
|
||||
LOG="$LOG_DIR/verify-${MODULE}-$(date +%Y%m%d-%H%M%S).log"
|
||||
|
||||
# Force rsync the source tree in. vagrant up runs rsync automatically on
|
||||
@@ -160,8 +147,46 @@ LOG="$LOG_DIR/verify-${MODULE}-$(date +%Y%m%d-%H%M%S).log"
|
||||
echo "[*] syncing source into VM..."
|
||||
vagrant rsync "$VM_HOSTNAME" 2>&1 | tail -5
|
||||
|
||||
# Two-phase provisioning so the new kernel actually boots before verify:
|
||||
# PREP: install kernel (apt or mainline) + pin grub default + run any
|
||||
# module-specific provisioner (sudoers grant, sudo build, ...).
|
||||
# ── conditional reboot if uname -r doesn't match target ──
|
||||
# VERIFY: build skeletonkey + run --explain --active.
|
||||
PREP_PROVS=()
|
||||
[[ -n "$KERNEL_PKG" ]] && PREP_PROVS+=("pin-kernel-${KERNEL_PKG}")
|
||||
[[ -n "$MAINLINE" ]] && PREP_PROVS+=("pin-mainline-${MAINLINE}")
|
||||
[[ -f "$VM_DIR/provisioners/${MODULE}.sh" ]] && PREP_PROVS+=("module-provision-${MODULE}")
|
||||
|
||||
if [[ ${#PREP_PROVS[@]} -gt 0 ]]; then
|
||||
echo "[*] running prep provisioners: ${PREP_PROVS[*]}"
|
||||
vagrant provision "$VM_HOSTNAME" \
|
||||
--provision-with "$(IFS=,; echo "${PREP_PROVS[*]}")" 2>&1 | tee "$LOG"
|
||||
fi
|
||||
|
||||
# Reboot if a kernel pin moved us off the target. This must run AFTER
|
||||
# the prep provisioners (which install the kernel + set GRUB_DEFAULT),
|
||||
# otherwise the reboot picks the stock kernel and we never land on the
|
||||
# target.
|
||||
if [[ -n "$KERNEL_PKG" || -n "$MAINLINE" ]]; then
|
||||
current_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
|
||||
target_match="$KERNEL_VER"
|
||||
[[ -n "$MAINLINE" ]] && target_match="$MAINLINE"
|
||||
if [[ "$current_kver" != *"$target_match"* ]]; then
|
||||
echo "[*] current kernel $current_kver != target $target_match; rebooting..."
|
||||
vagrant reload "$VM_HOSTNAME" 2>&1 | tee -a "$LOG"
|
||||
sleep 5
|
||||
post_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
|
||||
echo "[*] post-reboot kernel: $post_kver" | tee -a "$LOG"
|
||||
if [[ "$post_kver" != *"$target_match"* ]]; then
|
||||
echo "[!] reboot did NOT land on target kernel $target_match (got $post_kver)" | tee -a "$LOG"
|
||||
echo " detect() will still run, but verification is on the wrong kernel" | tee -a "$LOG"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "[*] running verifier..."
|
||||
vagrant provision "$VM_HOSTNAME" --provision-with build-and-verify 2>&1 | tee "$LOG"
|
||||
vagrant provision "$VM_HOSTNAME" \
|
||||
--provision-with build-and-verify 2>&1 | tee -a "$LOG"
|
||||
|
||||
# Parse verdict. Vagrant prefixes provisioner output with the VM name
|
||||
# (e.g. " skk-pwnkit: VERDICT: VULNERABLE"), so anchor on the VERDICT
|
||||
|
||||
Reference in New Issue
Block a user